On Sat, 2008-06-21 at 00:17 +0200, Johannes Berg wrote:
On Sat, 2008-06-21 at 00:13 +0200, Johannes Berg wrote:
Back to the original question - discount SSH - how do we get compression + SSL out of openssl..
I don't think it's possible. OpenSSL says, in the NOTES section of SSL_COMP_add_compression_method(3):
The TLS standard (or SSLv3) allows the integration of compression methods into the communication. The TLS RFC does however not specify compression methods or their corresponding identifiers, so there is currently no compatible way to integrate compression with unknown peers. It is therefore currently not recommended to integrate compression into applications. Applications for non-public use may agree on certain compression methods. Using different compression methods with the same identifier will lead to connection failure.
However, there is http://tools.ietf.org/html/draft-ietf-tls-compression, but openssl doesn't support that (only zlib and rle)
I'm way behind the times. http://www.faqs.org/rfc/rfc3749.txt
Looking at OpenSSL code, I think the patch below will give 0.9.8 ability to support deflate compression. I'm not sure if I should include that to Dovecot though. At least not for v1.1. :) diff -r 68a0be847980 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Fri Jun 20 12:20:17 2008 +0300 +++ b/src/login-common/ssl-proxy-openssl.c Sat Jun 21 04:29:51 2008 +0300 @@ -719,6 +719,7 @@ ssl_clean_free); SSL_library_init(); SSL_load_error_strings(); + (void)SSL_COMP_get_compression_methods(); extdata_index = SSL_get_ex_new_index(0, dovecot, NULL, NULL, NULL);